To celebrate the 11th annual National Cyber Security Awareness Month (NCSAM), (ISC)² has released its fifth and final set of tips by its Application Security Advisory Council: tips for more secure software.
“Make sure your business functionality maps to a security plan (i.e., security is built-in, not bolted-on).
Design your software with the future in mind, not just of the now (i.e., it is adaptable to talent-, technological- and threat- changes).
Don’t develop your software if your modus operandi is, ‘You start coding, I will go find out what they want.’ This is not agile programming.”
-Mano Paul, CISSP, CSSLP, GWAPT, GSSP-.Net, MCAD, MCSD, CompTIA Network+, ECSA, Founder & CEO, SecuRisk Solutions and Express Certifications; Founder, HackFormers
“Always question what data you should trust. Where does your application really start and end?
Study your configurations to ensure you’re not leaving your software open to being hacked.
Understand the protections that are naturally within your platform, and USE them.”
-Glenn Leifheit, CISSP, CSSLP, Principal Security Architect, Microsoft
“Look into the CSSLP! Secure software involves more than just writing code. Test, Test, and Test your code some more!
Think ‘Dysfunctionally’. ‘Dysfunctional Testing’ involves not just testing your software for how it should work, yet also how it should not work. Test abuse cases.
If you don’t test your software for security vulnerabilities, others will on your behalf in the field. Vulnerability test your product before it is released.
Fuzz, fuzz, and fuzz test your protocols some more.
DevOps is an important component of helping to make secure software.
Everyone has a role in helping make software secure. Secure software requires executive support, program management, product management, marketing, incident response teams, testers, developers, and release teams. We must work together to make secure software.”
-Tony Vargas, CISSP-ISSAP, CSSLP, Security+, Co-Founder, Chairman & President, (ISC)2 Sacramento Chapter; Chair, (ISC)2 Application Security Advisory Council
“If you’re developing software, the OWASP Cheat Sheets [authored in part by ASAC member Tom Brennan] should be helpful: https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series"
-Tom Brennan, CISSP, Global Vice Chairman, OWASP Foundation; Founder, proactiveRISK and CyberTOOLBELT